OPINION / Cyber Boot Camp

Thu, 2009-11-05 05:27 PM

The Department of Homeland Security recently announced plans to hire 1,000 cyber security experts over the next three years. The decision signals the seriousness with which DHS takes the cyber threat. But there is a problem. DHS stands no chance of meeting its goal.

In the past, DHS has had a poor track record of attracting talent to the department, particularly in technical fields. Few competent professionals already within the federal ranks want to go to DHS. Recruiting in the private sector is equally hopeless. No bag of incentives that DHS can possibly offer can compete with pay and performance packages available in the private sector, where demand for skilled services continues to increase even in the down economy. I have yet to meet an out-of-work cyber security expert, and when I do, I doubt he will be able to get a security clearance.

The Department of Homeland Security recently announced plans to hire 1,000 cyber security experts over the next three years. The decision signals the seriousness with which DHS takes the cyber threat. But there is a problem. DHS stands no chance of meeting its goal.

In the past, DHS has had a poor track record of attracting talent to the department, particularly in technical fields. Few competent professionals already within the federal ranks want to go to DHS. Recruiting in the private sector is equally hopeless. No bag of incentives that DHS can possibly offer can compete with pay and performance packages available in the private sector, where demand for skilled services continues to increase even in the down economy. I have yet to meet an out-of-work cyber security expert, and when I do, I doubt he will be able to get a security clearance.

Given DHS's responsibility for protecting the private sector from cyber attacks, the last thing the department should do is reduce the ability of companies to defend themselves by taking away competent security professionals to fill government roles. From the financial industry to software vendors, the private sector is under constant attack -- private companies need thousands more security professionals and cannot afford to give up the people they have. The same holds true for the rest of government. Given DHS's responsibility for protecting all .gov networks, recruiting personnel from other federal agencies may do more harm than good.

Targeting college and graduate programs will also yield few willing candidates. Computer science departments do not teach students to become cyber security experts. In fact, the opposite is true. Security is viewed in many of our nation's top universities as hampering innovation with burdensome requirements for writing new programs. Most universities do not even teach basic safe-coding practices. While that attitude is responsible for all the bugs that plague your desktop computer, little can be done about it in the short term. The best program the federal government has to attract computer science graduates to public service brings in only about 120 new civil servants each year when 10 times that number are needed.

If DHS pursues the goal of hiring 1,000 cyber security experts (or even 1,000 people who know anything at all), the department will likely fall well short of the target numbers and fail to meet quality standards. Most of the candidates that are hired will be sub-par. To solve the problem of insufficient cyber security personnel, DHS should stand the recruiting campaign on its head. Instead of hiring 'experts,' the recruiting program should focus on attracting new talent to the field.

Right now, there is a very large pool of recent college graduates who are out of work. Millions of other competent individuals are also unemployed, many in fields that may not recover. On the other side of the equation, DHS, other federal agencies, and the U.S. market, in general, need thousands of new cyber security professionals.

Defense of networks cannot be accomplished by firewalls, intrusion prevention systems and anti-virus programs alone. When systems are under attack by skilled, thinking adversaries, they need to be actively defended by equally skilled cadres of security professionals. The real weapons in cyberspace are not worms, botnets and malicious code, but the people who make and control them and the people who can stop them.

On the defensive side, there are simply not enough capable people to do the job. Many experts believe that between the government and the private sector, we need an additional 30,000 to 40,000 more cyber security professionals, right now, with that number only set to increase as more of our economic activity and government operations go online. Our university system is not prepared or interested in producing them. DHS should be.

Advanced education in computer science is by no means a prerequisite for developing the kinds of skills that DHS desperately needs. Take any Top 10 list of successful entrepreneurs in the computer industry, or better yet a Top 10 list of hackers, and less than half have college degrees in computer science. The noted gray hat hacker Peiter 'Mudge' Zeitko, who testified before Congress in 1998 that he and his buddies could take down the Internet in 30 minutes, went to the Berkeley College of Music. Who knows how many unemployed English majors could, with a little bit of training, learn to see and fix vulnerabilities the way someone like Mudge can.